The UK Information Commissioner’s Office (the “ICO”) has fined Sony £250,000 for what it describes as “one of the most serious” cases ever reported to it following a breach of security of its PlayStation Network Platform (the “PlayStation Platform”).

In April 2011, a group of hackers attacked a part of the PlayStation Platform maintained by Sony Computer Entertainment Europe Limited (“SCEE”), a European subsidiary of Sony, which led to the exposure of personal data relating to millions of its customers in Europe, the Middle East, Africa, Australia and New Zealand. The information accessed by the attackers included customers’ names, physical and e-mail addresses, dates of birth, account passwords and, in some cases, credit card details. Attempts had been made by the same group of hackers to infiltrate Sony’s systems previously, but while SCEE had security measures in place to protect its customers’ personal data, SCEE had failed to update its security measures, leaving the PlayStation Platform vulnerable to such attacks.

Following its investigation, the ICO determined that Sony had not complied with its obligations under the Seventh Data Protection Principle of the Data Protection Act 1998. The Seventh Data Protection Principle requires that:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

The ICO found that SCEE had failed to ensure that appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on its servers.

While the maximum penalty the ICO could have issued is currently capped at £500,000, the ICO has been steadily increasing the size of fines it has issued for breaches of Data Protection Principles over the last few years, with penalties now often reaching six figure sums. This case is no exception. David Smith, Deputy Commissioner and Director of Data Protection expressed his view that:

“The penalty we’ve issued […] is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”

The ICO acknowledged that it took several mitigating factors into account when determining the severity of the penalty to impose on Sony, including that:

  • The attack was conducted by a determined group of professional hackers;
  • SCEE did have security measures in place, even though those measures were not sufficient in the ICO’s opinion;
  • SCEE has since completely rebuilt the PlayStation Platform; and
  • SCEE informed its customers about the attack and offered to compensate them.

This latest fine demonstrates that any breach of security, even when quickly rectified, can lead to substantial penalties being imposed by the ICO if the ICO determines that there has been a significant breach of the Data Protection Act 1998. Organisations that process consumers’ personal data need to remain vigilant and verify that they protect personal data with the latest appropriate security measures on a regular basis. Sony has indicated that it intends to appeal this decision.